A page to show up #1 on Google when searching for "Jeremiah" (Currently #4). Only the prophet and TV show left! I have the edge, TV show is cancelled and the prophet isn't generating any new content.

The prophet, TV show, and that pesky Owyang guy going down!A page to show up #1 on Google when searching for "Jeremiah Grossman", and it FINALLY has!

Monday, July 07, 2008

Web Security Specialist ~ Tenacious Hunter Needed

We're hiring, especially those want to hack into websites for a living. That's right, paid to hack. If you don't know how, that's OK because we're ready to train. If you or someone you know might be interested in the opportunity, fill out the form on the job listing page. Note: you must reside in the S.F. Bay Area or willing to relocate.

"WhiteHat Security has an amazing opportunity for the creative person itching to take a crack at poking holes in websites while on the prowl for gaping security vulnerabilities. In this role you will have access to thousands – yes, thousands – of well-known websites. Your job will be to actively root through them looking for all the ways a blackhat might use to break into a site. In this role you will master the basics of web application security and secure software engineering and learn what it takes to become a skilled hacker--an incredible launching pad for your career in the web application security industry."

Jeremiah, is there a better way to contact you about these positions? I would be willing to relocate for an opportunity like this, and have realized for quite some time that in order to actually obtain a career in penetration testing and software security architecture I would most likely have to move out to California anyhow being as there are slightly limited I.T./I.S. jobs available on the Eastern half of the U.S. (as far as auditing goes). I'm interested to know all of the details about it.

I've been doing web application assessments for a long time. What I find difficult to grasp, as I seek employment elsewhere, is that so many companies still require on-site-only staff. Being a "virtual employee" or "telecommuter" for 5 years makes a jump from this lifestyle back into "The Office" lifestyle a bit of a challenge. Although there has been a lot of talk, recently, about a renewed push for remote employee programs.

Too bad you don't have options for remote employees. I know a good chunk of a whole team that's ready to leave.

None of our operations team travels, as we're not consultants. At some point we plan open up more geographically distributed offices for our ops team to extend the clock. However, since our customer-base is U.S. centric, we really haven't needed to thus far. Right now we focus on making sure our technology, people, and process are perfect, then replicate elsewhere.

When I say "on-site" I'm talking about being away from my home office and at your office. Not that of clients in a consultant scenario. Anytime I'm not in my office (which is located approximately 10 feet from my bedroom) I'm "on-site". :)

Oddly enough, we had this identical conversation with another well known app testing shop. Adding to the oddity of being able to test with music thumping at any time of day or night (client testing window not withstanding) and wearing dayglo-boxers 4 days in a row while the family is out of town, the "bunny slippers crew" now refers to any work not in our humble home offices as "on-site". :)

Or perhaps I've misunderstood you completely? Suffice it to say that if there was an opportunity to work without the requirement of traveling to an office on a daily basis, I know of a number of people looking.

I see what you are saying. OK, well, I can only tell you how we do it. Everyone comes into the office and works in coordinated teams. Clients are all remote to us. Yah, I know a lot of people are looking for similar roles, but our requirements are quite stringent and particular.

Jeremiah, besides read read read and tinker and break it and tinker and read. What advice do you give to someone looking to get out of network support and into the security side of things. Is a 4 year degree really something companies look for? (I mean I realize any company that even looks remotely interesting and challenging to work for "suggest" or requires a 4 year degree or higher)Does experience, talent and a 2 year degree get any respect? As someone looking for employees, and taking the opportunity to "advertise" it to readers of his blog, I am curious. Your wording of this blog post and the wording of the recruiting site are very different.Signed,

Well, I can't speak for all employers in this space, and while degrees and certifications are interesting to us, its not high on our must-have scale.

Our needs are very particular and we don't expect to find the skill set in the bulk of our candidates, so we have to train them up in the space and our processes. What we look for more than anything is a demonstration of passion, personal initiation, and a highly analytical mindset. These are the things we can't train.

So as far as breaking into the industry goes, my advice is get to know as many people as you can and get involved with community projects. Few things demonstrate ones capabilities better.

Jeremiah,I listen to pauldotcom and a bunch of other security podcasts and your name gets mentioned a lot. Anyway what community projects can be contributed to in order to break into the security industry? I am a Unix sys admin by profession.... just like you used to be.

I think you're totally missing the point of the questions about working from home versus moving to the Bay.

There are absolutely TONS of brilliant people who you guys are missing out on because of this archaic and outmoded idea that somehow people are more productive in an office rather than working from home, and working from anywhere in the world.

This is a high tech industry... Even in the same office, most people communicate via IM, mail, phone, and a million other methods.

Why do so many companies, especially in the Bay Area, seem to expect people to work like they were living in the 1950s?

I'd love to work for you guys and would kick ass at the job, but I'll stick with my current employer who understands performance-based-management and a distributed remote workforce.

@anonymous, please don't assume that you understand our particular operating business requirements better than we do. We have very good reasons for doing the things the way we do, not the least of which is data security precautions. Our methods served us and more importantly our customers very well. We are not consultants and our model is completely different than the telecommuting model you may be envisioning. For many people the environment is simply not a good fit, but that's OK, timing as they say is everything.

Hey, that sounds fair and fundamentally I agree with you. I mean its not like WH is culturally against a remote work force. We have many people who telecommute extensively, sales people and such. Developers as well from time to time. Its just our operations department is very special and important to us. As an indication I personally feet away from to make sure things are running smoothly. For that sense of personal assurance,I'll pay the (inefficient) premium.

Jeremiah Grossman.. I've recently graduated with a computer science degree and am looking to get my foot in the door in web application development. My focus is php,javascript,mysql tpe stuff. I think web application security would be a very important thing to have in addition to the programming side. I'm just curious do you think this type of position would steer a programmer away from his field? Would you qualify this position in the Quality Assurance area? I have done so much programming it be a shame to loose those skills by not using them. Just wanted your opinion.

Hello, I think it really comes down what exactly you want to do. Programmers with security background/training tend to be at least slightly more marketable because they basically have more experience. If you are straight out of school, you could find a decent progamming position where you can apply and hone your skills. Then start personal research into secure programming and just maybe your employer will pay for specialized training. If not, then you have to do it on your own. Either way the best way to demonstrate your skills is be projects, either on the job or those that are public / open source. That says a lot about a persons capabilities beyond a resume.